Exploit detection of malware and malware families
First Claim
1. A computerized method for detecting malware comprising:
- accessing information associated with one or more observed events, wherein the one or more observed events are associated via one or more observed relationships;
accessing a reference model of a plurality of reference models, the reference model is based on a first plurality of events and comprises a first event, a second event and a first relationship that identifies that the second event is based on the first event, wherein a combination of at least the first plurality of events and the first relationship indicates a known cyber-attack;
based on a correlation between the reference model and the accessed information, inferring that at least a third event of the first plurality of events has occurred or a second relationship between two events of the one or more observed events existed, wherein neither the third event nor the second relationship is indicated by the accessed information;
analyzing (i) the information associated with the one or more observed events, and at least one of the third event or the second relationship that were inferred, and (ii) the reference model to determine whether a level of correlation between (a) the one or more observed events, and including at least one of the third event or the second relationship that were inferred, and (b) the reference model is at least a first threshold; and
responsive to determining the level of correlation is at least the first threshold, determining that a combination of the one or more observed events, the one or more observed relationships, and at least one of the third event that was inferred or the second relationship that was inferred are associated with the known cyber-attack,wherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events, andwherein each of the one or more observed events, and the third event is an action or operation resulting from an execution of code.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a computerized method comprises, accessing information associated with one or more observed events, wherein one or more of the observed events constitutes an anomalous behavior; accessing a reference model based on a first plurality of events, the reference model comprises a first event of the first plurality of events, a second event of the first plurality of events and a relationship that identifies that the second event of the first plurality of events is based on the first event of the first plurality of events, wherein at least one of the first event and the second event constitutes an anomalous behavior; and comparing the information associated with the one or more observed events with the reference model to determine whether at least one observed event of the one or more observed events matches at least one of the first event of the first plurality of events or the second event of the first plurality of events that constitutes the anomalous behavior is provided.
717 Citations
36 Claims
-
1. A computerized method for detecting malware comprising:
-
accessing information associated with one or more observed events, wherein the one or more observed events are associated via one or more observed relationships; accessing a reference model of a plurality of reference models, the reference model is based on a first plurality of events and comprises a first event, a second event and a first relationship that identifies that the second event is based on the first event, wherein a combination of at least the first plurality of events and the first relationship indicates a known cyber-attack; based on a correlation between the reference model and the accessed information, inferring that at least a third event of the first plurality of events has occurred or a second relationship between two events of the one or more observed events existed, wherein neither the third event nor the second relationship is indicated by the accessed information; analyzing (i) the information associated with the one or more observed events, and at least one of the third event or the second relationship that were inferred, and (ii) the reference model to determine whether a level of correlation between (a) the one or more observed events, and including at least one of the third event or the second relationship that were inferred, and (b) the reference model is at least a first threshold; and responsive to determining the level of correlation is at least the first threshold, determining that a combination of the one or more observed events, the one or more observed relationships, and at least one of the third event that was inferred or the second relationship that was inferred are associated with the known cyber-attack, wherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events, and wherein each of the one or more observed events, and the third event is an action or operation resulting from an execution of code. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computerized method comprising:
-
accessing information associated with a first plurality of observed events comprising a first observed event, a second observed event and an observed relationship that identifies that the second observed event is based on the first observed event; accessing a reference model of a plurality of reference models, the reference model is based on a second plurality of events comprising a first event, a second event and a relationship that identifies that the second event is based on the first event, wherein a combination of at least the first event, the second event and the relationship indicates a known cyber-attack; based on a correlation between the reference model and the accessed information, inferring that at least a third event has occurred or a second relationship between two events of the first plurality of observed events existed, wherein neither the third event or the second relationship is indicated by the accessed information; analyzing the information associated with the first plurality of observed events, and at least one of the third event or the second relationship that were inferred and the reference model to determine whether a level of correlation between (i) the first plurality of observed events, and at least one of the second relationship or the third event, and (ii) the reference model is at least a first threshold; responsive to determining the level of correlation is at least the first threshold, determining a combination of the first plurality of observed events and at least one of the third event and the second relationship are associated with the known cyber-attack, wherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events, and wherein each of the one or more observed events, and the third event is an action or operation resulting from an execution of code. - View Dependent Claims (17, 18, 19, 20, 21)
-
-
22. A system comprising:
-
one or more hardware processors; and a non-transitory storage module communicatively coupled to the one or more processors, the storage module comprises (i) an event log to receive and store information associated with one or more observed events, wherein each of the one or more observed events is associated with at least one of an action or operation occurring during computer processing, (ii) a data store to store one or more reference models, (iii) a gathering logic in communication with the data store and the event log that, upon execution by the one or more processors, (a) accesses the information associated with the one or more observed events, and (b) accesses a first reference model of the one or more reference models, wherein a combination of one or more events or one or more relationships included in the first reference model indicates a known cyber-attack, and (iv) a first logic in communication with the data store and the event log control logic that, when executed by the one or more processors, based on a correlation between the first reference model and the accessed information, infers that at least a first inferred event has occurred or a first inferred relationship existed, wherein neither the first inferred event nor the first inferred relationship is indicated by the accessed information; and (v) a matching logic in communication with the gathering logic that, upon execution by the one or more processors, (1) analyzes the information associated with the one or more observed events, the first inferred event, the first inferred relationship and the first reference model to determine whether a level of correlation between (a) the one or more observed events, and at least one of the first inferred event or the first inferred relationship and (b) the first reference model is at least a first threshold, and (2) responsive to determining the level of correlation is at least the first threshold, determining a combination of the one or more observed events, one or more observed relationships and at least one of the first inferred event or the first inferred relationship is associated with the known cyber-attack, wherein each of the one or more observed events, and the first inferred event is an action or operation resulting from an execution of code, and wherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events. - View Dependent Claims (23, 24, 25, 26, 27, 28)
-
-
29. A system comprising:
-
one or more hardware processors; and a non-transitory storage module communicatively coupled to the one or more processors, the storage module comprises (i) an event log to store received information associated with one or more observed events, (ii) a data store to store one or more reference models, and (iii) logic that, upon execution by the one or more processors, accesses information associated with one or more observed events, wherein a first observed event and a second observed event are associated via a first observed relationship; accesses a reference model of a plurality of reference models, the reference model is based on a first plurality of events and comprises a first event, a second event and a first relationship that identifies that the second event is based on the first event, wherein a combination of at least the first plurality of events and the first relationship indicates a known cyber-attack; based on a correlation between the reference model and the accessed information, infers that at least a third event of the first plurality of events has occurred or a second relationship existed, wherein neither the third event nor the second relationship is indicated by the accessed information; analyzes (i) the information associated with the one or more observed events, and at least one of the third event or the second relationship that were inferred, and (ii) the reference model to determine whether a level of correlation between (a) the one or more observed events, and at least one of the third event or the second relationship that were inferred, and (b) the reference model is at least a first threshold; and responsive to determining the level of correlation is at least the first threshold, determines that a combination of the one or more observed events, the one or more observed relationships and at least one of the third event or the second relationship is associated with the known cyber-attack, wherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events, and wherein each of the one or more observed events and the third event is an action or operation resulting from an execution of code. - View Dependent Claims (30, 31, 32)
-
-
33. A system for detecting malware comprising:
-
one or more hardware processors; and a non-transitory storage module communicatively coupled to the one or more processors, the storage module comprising logic that, upon execution by the one or more processors, performs operations comprising; observing one or more events during processing of an object within a virtual machine; selecting a reference model of a plurality of reference models based on the one or more observed events, the reference model comprising a first event of a first plurality of events, a second event of the first plurality of events and a relationship that identifies that the second event is based on the first event, wherein a combination of at least the first event, the second event and the relationship indicates a known cyber-attack; and based on a correlation between the reference model and the accessed information, inferring that at least a third event has occurred or a second relationship existed, wherein neither the third event not the second relationship is indicated by the accessed information; analyzing the information associated with the one or more observed events, the reference model, and at least one of the third event or the second relationship to determine whether a level of correlation of (i) the one or more observed events, and at least one of the second relationship or the third event, and (ii) the reference model is at least a first threshold; and responsive to determining the level of correlation is at least the first threshold, determining a combination of the one or more observed events, and at least one of the third event or the second relationship is associated with the known cyber-attack; and wherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events, and wherein each of the one or more observed events, is an action or operation resulting from an execution of code. - View Dependent Claims (34, 35, 36)
-
Specification